Security

Hello guys,

We're configuring clearpass Onboard and iOS devices cannot be able to install certificates and getting timeout errors.

Heard from other aruba guys, for iOS devices, we should bypass the captive portal popping out (pseudo browser) after we connect to some SSID in wifi settings in iPhone.

This can be done in Cisco wlc with this command:
'config network web-auth captive portal bypass enable'

But this is applied globally and not per WLAN basis. So it is affecting other SSIDs as well. Is there anyway to bypass this portal per WLAN basis alone? Please guide on this.

Thanks,
Bharani

You can do it on aruba wireless per SSID but I believe that is an issue with Cisco WLC. I would recomend that you contact cisco support to see if they have another workaround. Unfortunately the Apple CNA is an issue that all vendors run into.

Thank you very much Troy for your quick replies.!!!! :)  I'll contact them.

 

 

Troy,

 

Just want to confirm this..

 

For iOS device provisioning, is there anyway we can mention in clearpass provisioning configuration that we need to skip that automatic popout of Apple's captive network assistance (CNA) and just make the user open the browser (say safari) to install the certiifcates?

 

Thanks,

Bharani..

It might be because a my 17 hour day here but I guess Im lost on what your question is. :)

 

1. Are you asking if that is the process?

or

2. Are you asking can we add it to the guide/Gui?

Hi Troy,

 

Okay. This is my question. An iPhone user connects to onboard SSID, gives his uername/password, the request is received by clearpass. The clearpass pushes the re-direct URL (onboard portal) to the user for provisioning.

 

Normally in android & windows, after this step, the user has to manually go to a browser and gets redirected and install the certificates for onboard.

 

But for iOS, the apple's CNA will poput and ask us to install the certificate. This is where we're getting our error. So, our requirement is bypass this CNA so that the user will be using the browser to install the certs.

 

Can we able to configure this bypass feature in clearpass for iOS devices provisioning?

 

Thanks,

Bharani..

The issue with the apple CNA is that the device will go to the web and try to hit an apple website (in IOS7 its multiple site they round robin) If the device isn't able to reach the site it will pop open the CNA.

 

So the work around to keep the device from popping open the CNA, you need to set in your wireless controller to allow those site to be accessible when the user first connects. 

 

In Aruba wireless you can use the landing.php to work around this but each vendor has their own way of doing it.

 

Unfortunately the way apple built the CNA Its not something that can be controlled by clearpass. It has to be done at the connection level.

 

I know there are some other people that follow this group that might have some insight on, Cisco but I have a limited knowledge on how you could do it in a Cisco WLC.